Infrastructure Vulnerability Assessment - · PDF fileInfrastructure Vulnerability Assessment ... • Testing Network Security ... • Presentation Protocol Models

San Francisco Chapter

Infrastructure Vulnerability Assessment

Presented by:

California State Automobile Association – AAA Northern California

Derek Koopowitz – IT Audit Manager

Norm Gutierrez – Senior IT Auditor

Rob McIndoe – Senior IT Auditor


2007 Fall Conference

2

Infrastructure Vulnerability AssessmentAgenda

• What Is A Vulnerability Assessment?• Vulnerability Assessment Process• Business Case For A Vulnerability Assessment• Footprinting• Testing Network Security• Testing Operating System and Web Application

Security• Testing Database Security• Vulnerability Management• Q & A



3

What Is A Vulnerability Assessment?

Generally called Ethical Hacking or Network

Penetration testing. Another term usedthese days is Red Teaming. Essentially weare trying to detect network and systemvulnerabilities and to test security by takingan “attacker” like approach in order to gainaccess. We want to enhance security in ourinfrastructure and a VA is a great way toaccomplish that goal.



4

What Is A Vulnerability Assessment?cont’d.

A vulnerability assessment is beingproactive. It determines one’s susceptibilityto an attack before networks are exploited,and it forces companies to take earlycorrective action. It can show theconsequences of an attack to yourorganization.



5

Vulnerability Assessment Process

• Impartial assessment - should not be done by IT(fox guarding the hen house)

• Customer consent must be obtained• Define the scope – general or specific

depending on cost/time. Areas to test can be:

Internet security (port scanning, password cracking, etc.)Communications security (VM testing, modem testing, etc.)Information security (privacy, etc.)Social engineeringWireless securityPhysical security (access controls, etc.)



6

Business Case For A VulnerabilityAssessment

• Protect the crown jewels (data)

• Comply with Federal/State laws such as SoX,HIPAA and Privacy

• Comply with vendor requirements such as PCI

• Avoiding unneeded publicity for our company(i.e. TJ Maxx, ChoicePoint)

• Preparing For Potential Infrastructure Breach

• Independent Assessment



7

Footprinting

Layman’s term is reconnaissance. This isthe information gathering aspect of the VA –obtain all system and user information tounderstand the environment. Use thisinformation to execute local and remoteattacks. Reduces the risk of beingdiscovered.



8

Footprinting (cont’d)

Methodology used:

• Publicly available information

Company web pages

SEC Edgar

Search sites (Yahoo, Google, etc.)

Usenet

Job postings



9


Methodology used:

• Internet footprinting

Whois

ARIN

Traceroute

NSLookup



10


Methodology used:

• Scanning

Port scanning (ping sweep, etc.)

Network scanning (nmap, Superscan, etc.)

Vulnerability scanning (Nessus, Satan, etc.)

Wardialing (Phonescan, Toneloc, etc.)

Banner grabbing



11

Testing Network Security

• Why test the network

• What is the objective of testing

• Risks associated with not testing

• How to test the network



12

Testing Operating System and WebApplication Security

• Why test OS and application security



• How to test the OS and application



13

Testing Database Security

• Why test database security



• How to test database security



14

Infrastructure Vulnerability AssessmentComputer Networks

• PresentationProtocol Models

Communication Components and Devices

Infrastructure Attacks

Infrastructure Vulnerabilities

Passive Attacks

• DemonstrationSniff Passwords Over a Network

Sniff Passwords Over a Wireless Network

• Q & A



15

Protocol Models

Communication Architecture and Protocols

• ISO’s OSI Model

• DARPA’s TCP/IP Model

Acronyms

• ISO - International Organization for Standardization

• OSI - Open Systems Interconnection

• DARPA - Defense Advanced Research ProjectsAgency

• TCP - Transmission Control Protocol

• IP - Internet Protocol



16

OSI Model

OSI is a computer-communicationsarchitecture that uses layering. Eachlayer performs a related subset of thefunctions required to communicate withanother system. It relies on the nextlower layer to perform more primitivefunctions and to conceal the details ofthose functions.



17

Seven Layers of the ISO/OSI Model



18

OSI Seven Layers and Function

• Physical - Deals with electrical and mechanical procedures (bits) toestablish, maintain, deactivate physical links

• Data Link – Sends blocks (frames) of data across physical linkproviding flow control and error recovery

• Network – Provides upper layers with independence from datatransmission and switching technologies

• Transport – Provides reliable, transparent transfer of data betweenend points, flow control and error recovery

• Session – Provides controls structure for communication betweencooperating applications

• Presentation – Performs generally useful transformations on data toprovide a standardized application interface and to provide commoncommunications services; encryption, text, compression,reformatting

• Application – Provides services to users. Defines networkapplications to perform tasks such as file transfer, e-mail, networkmanagement



19

OSI Relationship with TCP/IP Protocol Suite

• OSI is a reference to protocols, specificallyISO standards, for the interconnection ofcooperative computer systems

• TCP/IP is a type of OSI protocol

• When referring to ISO standards, TCP/IPis not an OSI protocol (i.e., TP-0,TP-1)



20

OSI Layer Mapped To TCP/IPMapped to Protocols



21

TCP/IP Background

• TCP/IP Protocol Suite resulted fromresearch funded by DARPA

• The protocol suite was designed to fostercommunication between computers:

With diverse hardware architectures

To accommodate multiple computer operatingsystems

Using any packet switched network



22

TCP/IP Background (cont’d)

• TCP/IP Protocol Suite Provides ThreeConceptual Sets of Internet Services

Application Services

Reliable Transport Service (TCP)

Connectionless Packet Delivery (UDP)

Note: User Datagram Protocol (UDP)



23

IP Datagram Anatomy

• TCP/IP’s Basic Transfer Unit is an IP Datagram

Fields VER - Version HLEN – Header Length Service Type Length ID, Flags, and Flags Offset TTL – Time To Live Protocol

Header Checksum Source IP Address

Destination IP Address

IP Options Padding Data



24

TCP Anatomy

TCP Packet Segment Format• Source Port

• Destination Port

• Sequence Number

• Acknowledgement Number

• HLEN

• Reserved

• Code Bits

• Window

• Checksum

• Urgent Pointer

• Options (IF ANY)

• Padding

• Data



25

UDP Anatomy

UDP Packet Segment Format

• Source Port

• Destination Port

• Length

• Checksum

• Data



26

Communication Components

• Packet - A physical message unit entity thatpasses through a network sending and receivingdata between two computers

It usually contains only a few hundred bytes of data

Carries identification that enables computers on thenetwork to know whether it is destined for them orhow to send it on to its correct destination

• Networks - Packet-Switched Networks



27

Packet-Switched Network Technologies

Some examples are:

• MPLS – Multiprotocol Layer Switching

• Ethernet

• X.25

• Frame Relay



28

Network Devices

• Hubs

• Switches

• Routers

• Firewalls



29

Hubs

• Operates at Layer 1 (Physical) of the OSImodel

• Forwards packets by simply broadcastingto every port

• Does not look at address information

• Floods incoming packets to every port

• Each port is the same collision domain

• Each port shares the available bandwidthand hosts must contend for access



30

Switches

• Operate at Layer 2 (Datalink) protocol

• Switches forward traffic based ondestination MAC address

• Ports are not in the same collision domain

• Switches create a private connectionbetween hosts on a network with fullaccess of medium’s bandwidth tocomplete a transaction



31

Hub vs. Switch – How they differ

On a switch, after the host B MACaddress is learned, unicast traffic fromA to B is only forwarded to the B port.Therefore, a sniffer would not be able tosee this traffic.

When a hub receives a packet on one port, the hub sendsout a copy of that packet on all ports except on the onewhere the hub received the packet



32

Routers

• Routers interconnect different technologiesspanning various distances and locations(Internet vs. Intranet)

• Operate at Layer 3 (Network) providing routableaddressing

IP is a Layer 3 Protocol

IP addresses contain for 4 octets (i.e. 69.147.114.x)

• Routers forward traffic between IP networksTraffic doesn’t flood

Router rely on Routing Table



33

Firewalls

• Operates at Layer 3 (Network). Allows and denies selected IP trafficto and from network segments and/or hosts (i.e. 192.168.5.0/24)(Note: Proxy Servers Operate at Layer 7)

• 1st Generation Packet Filtering Firewall – Acts by inspecting thepackets. If a packet matches the packet filter's set of rules, thepacket filter will drop (silently discard) the packet, or reject it (discardit, and send "error responses" to the source). This type of packetfiltering pays no attention to whether a packet is part of an existingstream of traffic (it stores no information on connection "state").

• 2nd Generation Stateful Firewall – In addition to inspecting packets,the technology maintains records of all connections passing throughthe device and is able to determine whether a packet is the start of anew connection, or part of an existing connection



34

Firewall and Router – Network Diagram



35

Infrastructure Attacks

• Degradation and Denial of Service (DoS)

Components have finite resources:

Bandwidth

Processing Power

Resources are vulnerable to exhaustion

Causing degradation or denial of service

Well-engineered infrastructure can resist simpleresource attacks

With extra capacity for unexpected load

By identifying and filter illegitimate traffic



36

Infrastructure Attacks (cont’d)

• Bandwidth Exhaustion

– Bandwidth attacks overwhelm a target with traffic

With or without legitimate payload

– Infrastructure most vulnerable where traffic is blindlytransmitted

Routers forward any packet matching routing table

Switches flood broadcasts and traffic destined forunlearned addresses

Hubs flood everything

– Packets can be crafted to look completely random

Making filtering difficult



37


• Multiplying Utilization

– Some packets cause targets to sendresponses

Multiplies the use of bandwidth

Might flood another network

– Ping floods

Network is flooded with ICMP Echo Requests

Echo Replies are sent for each request



38


• Multiplying Utilization (cont’d)

– TCP floods

TCP suggests end systems respond to all trafficwith a connection acknowledgement or reset

Bandwidth attacks overwhelm a target with trafficwith or without legitimate payload

– UDP floods

Response is not guaranteed by the protocol

End servers may respond



39


• Process Exhaustion– Some Infrastructure components perform significant

processing

Switches and routers analyze each incoming packet

Stateful packet filters maintain state tables

Proxies launch new processes or threads for eachconnection attempt

– Firewall processing is vulnerable to TCP and UDPfloods

Even when sufficient bandwidth remains proxy firewalls willanswer each request

Stateful inspection firewalls allocate system resources



40


• Inside vs. Outside– Attacks from outside usually affect public services

Aimed at the organization’s public servers and WANservicesPrevents access to and from the Internet

– Attacks from inside can disrupt internal servicesUsually from compromised internal systemsPrevents access to internal servers and networksFlooding internal networks requires substantial traffic rates



41


• Distributed DoS– Resource attacks can be initiated from a

single sourceRequires the attacking host have sufficientresources

– Many resource attacks are controlled bydistributed toolsets

Installed on previously compromised systems

– A popular DDos toolkit is TribeFloodNet(TFN)



42


• Covert Channels– Covert channels transmit data in non-standard ways

Place data in non-suspicious packets or header fields

Packet header fields are rarely interpreted as informationcarriers making them ideal for use as covert channels

IP fragment ID

TCP sequence number

Usually from compromised internal systems

– Packets can be bounced off intermediate systemsUseful if firewall limits inbound traffic to trusted sites

– Proxy and NAT-based firewalls limit the effectivenessof covert channels

Because they rewrite packet headers



43

Infrastructure Vulnerabilities

• Device Configuration Vulnerabilities– Many infrastructure components must be configured

by administratorsSwitches, routers, and firewalls

– Remote administration is convenient and sometimesessential

– Administration protocols can introduce configurationvulnerabilities

Telnet and HTTPSimple Network Management Protocol (SNMP)Dynamic routing protocols such as RIP, OSPF, and BGP



44

Infrastructure Vulnerabilities (cont’d)

• SNMP Vulnerabilities

– SNMP is the de facto standard for remotely monitoring devices

Can also be used to configure them

– SNMP v1 uses inherently vulnerable techniques

Implemented over UDP

Transmits passwords unencrypted

Widespread use of default passwords: public and private

– Most implementations are vulnerable to attack

By sending misformatted queries

Attack devices can stop functioning

– Later versions of SNMP mitigate these risks

Better authentication

Encryption



45


• Telnet and HTTP Vulnerabilities

– Default security settings are often inadequate

Factory passwords

Unrestricted access

– Passwords are transmitted in the clear

Sometimes transiting production networks

We’ll explore eavesdropping on passwords

– Routine security procedures can mitigate the risk

Restrict access to the minimum number of addresses

Keep administration traffic on protected segments

Regularly change passwords and use encryption



46


• Routing Protocol Vulnerabilities

– Routers can be attacked by transmitting spoofedrouting information

Some routing protocols have poor securitymechanisms

– RIP routing information is broadcastAny host on the router’s subnet can inject routes

– OSPF routing information is multicastAny host on the router’s subnet can inject routes

– BGP routing information is unicastHardest to spoof



47

Passive Attacks

• Benefits of Sniffing

– Sniffers are used to diagnose networkproblems

Technicians view actual packet exchanges fortroubleshooting

– Monitoring traffic as part of routine networkmanagement

Bandwidth use, packet sizes, protocoldistribution, etc.

– IDS relies on sniffing network trafficSignatures match on packet payload



48

Passive Attacks (cont’d)

• Dangers of Sniffing

– Many application protocols transmit payloadunencrypted

E-mail and instant messaging

Telnet, FTP, and Web servers

Authentication exchanges sent “in the clear”

– Attackers often install sniffers on compromisedhosts

Save decoded packets for later retrieval

User names and passwords can be easilydiscovered



49


Sniffing Hubs and Switches– Hubs make promiscuous sniffing very easy

All traffic transiting a hub is repeated out all ports

A sniffer connected to any hub port sees all traffic on the hub

– Switches are not “sniffer-friendly”Unicast traffic transiting a switch is forwarded to a single port

Based on the destination MAC address

Each port is a separate collision domain

Sniffer connected to a switch port sees only that port’s traffic

– Common belief: Switches prevent sniffing other hostsNot true!

– Two techniques for sniffing a switched environmentMAC flood attacks the switch

ARP poisoning attacks



50


• Remote Access– Many organizations provide facilities for remote

access to their networkDial-up modem banks

Wireless access points

Virtual Private Network (VPN)

– Often these facilities terminate behind a securityboundary

Bypass firewall systems and IDS

Allow an outside system to appear as an inside system

– Discovering and exploiting remote access can provideinside access



51


• Wireless Networking

– Wireless networking installationsFollowing the IEEE 802.11 Series of standards

– Wireless networks can be configured in twoways

Peer-to-Peer

Wireless LANS (WLAN)



52


• Wireless Networking (cont’d)

– Insecure WAPs result in critical exposure ofinternal networks

WLANs behind firewall provides a backdoor tothe inside network

Traffic can be sniffed without physical insideaccess



53

Summary

• When auditing an application, system orenvironment, test the network segment itresides on

• Controls and security are only as good asthe network

• Minimize attack surface by segmentingnetworks and forcing only authorizedphysical access to network jacks



54

Sniff Traffic Over A Network – Demo

Create a "mirror" image of data goingthrough a network device

Use an a hub for fanning out data to aread-only analyzer

Use an open-source network analysistools running over Linux or Windowssuch as the Snort and Ethereal protocolanalyzer

View data and passwords in clear text



55

Analyze The Security of A WirelessNetwork- Demo

Identify Wireless Access Points using anOpen Source Tool (Kismet)

Compromise WLAN using a WEPCracking Tool (Airsnort)

Scan WLAN for vulnerable nodes

Compromise a multi-homed node withboth WLAN and LAN access

Compromise a second node that resideson a separate LAN (optional)



56

Q & A



57

Infrastructure Vulnerability AssessmentOperating Systems and Web Applications

• PresentationOS Shared Services Dependencies

Common System and Application Vulnerabilities

• DemonstrationTesting System Security

Testing Password Security

Testing Web Server Security

Windows Null Session Vulnerability

• Q & A



58

OS Shared Services Dependencies

• Components supported by operatingsystems

- Systems

DNS

IIS

Active Directory

E-Mail

Web



59

Common System and ApplicationVulnerabilities

• Introduction of System Vulnerabilities

– Incorrect configurations

– Poor programming producing software bugs

– Default settings applied

– Default passwords

– Windows Null Session vulnerability



60

Incorrect Configurations

• Incorrect system configuration lead to systemvulnerabilities

• i.e. Antivirus signatures out of date leavesystems exposed to Trojans and other malware

• During period of outdated antivirus signaturedefinition

• Potential resultant exploit impacting an infectedsystem:

• Infected system sending company dataoutbound



61

Incorrect Configurations (cont’d)

• Outbound traffic on port 80 and/or 443 unrestricted

– Outbound traffic sourced from a compromisedsystem - corporate data egress company firewall viaport 80 or 443 unnoticed (keystroke loggers, Trojans)

• Un-patched Web server Operating Systems

• Incorrectly configured Web server applications (IIS,Apache)

• Sound Threat and Vulnerability management program isessential

• Ensure workstations are patched and anti-virus /spyware definitions are up to date



62

Poor Programming Producing SoftwareBugs

• Unsecured coding practices

• Lack of secure coding education and trainingand necessary security analysis tools to test forinsecurely written code instances

• Unsecured web applications residing on publicfacing web sites

• Potential resultant Identity Theft exploits below:

SQL Injection

Cross Site Scripting



63

Default Settings Applied

• Unnecessary services i.e. Telnet, FTP, SMTPturned on by default for ease of use andimmediate functionality availability

• Lack of configuration management standards tosecure the OS after deployment

• During system build process and/or environmentchange

• Malware potentially exploiting vulnerablesystems with unnecessary services running



64

Default Passwords

• Obtain user account credentials with administrator orroot privileges

• Passwords are generally stored and transmitted in anencrypted form called a hash

• Password cracking employs captured password hashes

• Passwords hashes can be intercepted when they aretransmitted across the network (using a network sniffer)or they can be retrieved from the targeted system

• The latter generally requires administrative or “root”access on the target system



65

Default Passwords (cont’d)

• User configuration error

• Vendor supplied passwords are not changed. Absenceof system specific configuration management standards– go to www.defaultpasswords.com for more information.

• During system build process or environment change



66

Windows Null Session Vulnerability

• Windows OS default behavior (IPC$)

• Windows administrative shares use IPC tocommunicate

• When LAN Manager authentication ispermitted in a Windows environment



67

Testing Systems Security - Demo

Scan systems for vulnerabilities

– Perform Nessus and/or MBSA scan of W2K

Server – displaying un-patched systems

– Install keystroke logger and/or Trojan onWorkstation

– Show where keystroke logger is sendingdata via outbound e-mail from compromisedworkstation



68

Testing Password Security - Demo

Obtain a password hash file from a vulnerablesystem

Show tools to crack password hashes

– Use tools to identify and exploit weakpasswords using password cracking tools



69

Testing Web Server Security - Demo

Analyze the security of a web server

– Use tools to identify and exploit a webapplication to elicit an improper responsefrom the site – that could potentially lead todisclosure of private information or phishingattacks



70

Windows Null Session - Demo

Show how null session is exploited



71

Q & A



72

Infrastructure Vulnerability AssessmentRelational Database Systems

• PresentationRelational Database Overview

SQL

Oracle Configuration Vulnerabilities

Footprinting Databases

Enumerating an Oracle Server

Attacking the TNS Listener

Mitigating Oracle Vulnerabilities

• DemonstrationEnumerate and Compromise an Oracle Database

• Q & A



73

Relational Database Overview

Examples of Relational Database Products

• Oracle

• Microsoft SQL Server

• SAP

• DB2

• MySQL

• PostgreSQL

• Microsoft Access



74

Relational Database Overview (cont’d)

• A database management system (DBMS) isthe software which controls the storage,retrieval, deletion, security, and integrity ofdata within a database

• An RDBMS is a DBMS which manages arelational database

• A relational database stores data in tables• Tables are organized into columns, and each

column stores one type of data (i.e. integer,real number, character strings, date)

• The data for a single “instance” of a table isstored as a row



75


• For example, the Customer table would have columnssuch as CustomerNumber, FirstName, and Lastname,and a row within that table would be something like{1701, “John”, “Doe”}

• Tables typically have keys, one or more columns thatuniquely identify a row within the table, in the case ofthe Customer table the key would be CustomerNumber

• To improve access time to a data table you define anindex on the table. An index provides a quick way tolook up data based on one or more columns in thetable, just like the index of a book enables you to findspecific information quickly



76


• The most common use of RDBMS’s is to implementsimple CRUD – Create, Read, Update, and Delete –functionality

• For example an application could create a newtransaction and insert it into your database

• It could read an existing transaction, work with the data,and then update the database with the new information

• It could also choose to delete an existing transaction,perhaps because the customer has cancelled it

• The vast majority of your interaction with an RDBMS willlikely be to implement basic CRUD functionality



77


• The easiest way to manipulate arelational database is to submitStructured Query Language (SQL)statements to it

• SQL retrieves and manages data storedin a relational database system



78

SQL

• Auditor’s can quickly review controls using SQLstatements

• Scripts can be used to execute numerous keySQL statements that provide valuableinformation

• Common criticisms of SQL include a perceivedlack of cross-platform portability betweenvendors, inappropriate handling of missing data(i.e. null fields), a complex three-valued logicsystem, and its complex and occasionallyambiguous language grammar and semantics



79

Oracle Configuration Vulnerabilities

• Oracle has default userid’s and passwords

– Default accounts if enabled or unchanged could resultin gaining DBA privileges

• Examples of Oracle Default accounts andpasswords

– SYS = CHANGE_ON_INSTALL

– DBSNMP = DBSNMP

– CTXSYS = CTXSYS

– MDSYS = MDSYS

– OUTLN = OUTLN



80

Oracle Configuration Vulnerabilities (cont’d)

• If operating system controls are weak theability to connect and gain DBA privilegesexist

• Oracle inserts an OS user account into amember group (i.e., DBA_ORG) whichallows that user to gain DBA access



81

SQL Server Vulnerabilities

• Blank SA password

• Buffer overflow can occur with an overly longrequest for SQL servers is sent to UDP port1434

• Direct exploit attacks using a tool such asMetasploit

• SQL injection

• Blind SQL injection

• Extended stored procedures contain bufferoverflows



82

Footprinting Databases

• Utilize a port scanner to look for commonports used by database servers

• Examples of default ports are:

– 1433/1434 - Microsoft SQL

– 1521 - Oracle

– 4100 - Sybase



83

Enumerating An Oracle Server

• Determine an Oracle version number byconnecting to a TNS (TransparentNetwork Substrate) Listener Service

– Each Oracle version has known vulnerabilities

• Identify Database Instances

– In order to access data in the database youneed to have an instance name



84

Attacking The TNS Listener

• A TNS Listener without an assignedpassword allows for:

– Enumeration which can lead to compromise

– Remote user to execute a command whichcould fill up a log file on the local file systemuntil system halts



85

Mitigating Oracle/SQL Server Vulnerabilities

• Set a TNS Listener Password

• Set an SA Password (SQL Server)

• Turn on Admin Restrictions

• Turn off External Procedures

• Turn off XML Database

• Encrypt Network Traffic

• Lock and Expire Unused Accounts

• Change Default Passwords



86

Mitigating Oracle/SQL Server Vulnerabilities(cont’d)

• Define and Enforce a Good Password Policy– Password Length– Password Expiration Date– Password History

• Roles– Permissions should be granted on the principle of

least privilege

• Disable Remote Authentication• Enable Account Lockout• Limit the number of accounts that are assigned

a DBA role



87

Mitigating Oracle/SQL Server Vulnerabilities(cont’d)

• Enable Auditing

• Enable Data Dictionary Protection

• Enable Database Link Login Encryption

• Create Triggers

• Conduct audits to ensure security postureis acceptable

• Patch, patch, patch…



88

Enumerate Oracle - Demo

Scan for Open Ports

Connect to TNS

View Database Instance

Connect to instance via SQL

Exploit Default Password Vulnerability

Download Password Hash File

Use a program like CAIN AND ABEL tocrack passwords



89

Q & A



90

Vulnerability Management

What is a vulnerability management process?

• What systems do we have?– Current inventory of systems (hardware and software)

• Identify vulnerabilities and prioritize based on risk– Gather information which focuses on the vulnerabilities affecting

your systems– Evaluate the actual risks to your organizations security

• Fixing the vulnerabilities– Plan for a response (i.e. patching and fixing systems)

• Evaluate the end result– Trends in vulnerabilities– Systemic errors



91

Vulnerability Management (cont’d)

Vulnerability management isn’t…

• Just scanning – requires acting on theresults of the scans

• Just patching – requires tweakingconfigurations as well

• Just a technical solution – involves policyand process changes

• Just a local issue – look at the big picture



92

Q & A

Documents

Infrastructure Vulnerability Assessment - · PDF fileInfrastructure Vulnerability Assessment ... • Testing Network Security ... • Presentation Protocol Models